1.6 dev cbom #347
Merged
1.6 dev cbom #347
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: steve.springett <steve.springett@servicenow.com>
Signed-off-by: steve.springett <steve.springett@servicenow.com>
Signed-off-by: steve.springett <steve.springett@servicenow.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Steve Springett <steve@springett.us>
This PR follows our CBOM WG call from Oct 12. It removes the `detectionContext` property from components and merges them with `componentEvidence`. The following properties are added to evidence: - `lineNumber` - `offset` - `symbol` - `additionalContext` The plan is to make a separate proposal/PR for `keyword` The PR also removes the extra fields for confidence levels since they are already covered by `componentEvidence`. Tagging @stevespringett @n1ckl0sk0rtge @mrutkows
This addresses the use case described in IBM/CBOM#31: - Expiry and life cycle of any relatedCryptoMaterial (e.g. keys, tokens, password) should be expressible. This is done by merging the "key" asset type and "relatedCryptoMaterial" to "relatedCryptoMaterial", which contains the needed properties.
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
The new property 'parameterSetIdentifier' replaces 'variant' and contains information about the parameter set identifying an algorithm. This can be, for example, the key length (in AES), the digest length (in SHA2), or the hash algorithm used internally (in SLH-DSA / FIPS205). The "description" field contains some examples. This PR is motivated by IBM/CBOM#37 and intends to address its use case. Tagging @stevespringett, @n1ckl0sk0rtge, @mrutkows, @GeroDittmann
Signed-off-by: steve.springett <steve.springett@servicenow.com>
|
created this PR to make an early review easier. |
jkowalleck
commented
Nov 28, 2023
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Reviews the description fields and addresses my TODOs.
This was
linked to
issues
Dec 4, 2023
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Adds 'combiner' as enum entry in 'primitive'. Addresses the use case when combinations of (e.g.) classical crypto like RSA is used together with QSC like Dilithium. An entry of this primitive allows to express the combiner used. Adding dependencies to RSA/Dilithium then allows to express the algorithms used in the combiner. Note: "combiners" are also known as "hybrids", but this term can be ambiguous so I prefer the term combiner.
Signed-off-by: steve.springett <steve.springett@servicenow.com>
Signed-off-by: Steve Springett <steve@springett.us>
It might be more common from the perspective of data to know with which crypto asset it is "protected-by" than knowing for a crypto asset what data it "protects".
I agree, an array would be useful.
Tagging @n1ckl0sk0rtge for your thoughts. signatureAlgorithm and SubjectPublicKey are fields for certificates and algorithmRef is a field in relatedCryptoMaterial. I think it's useful to be able to express these references. Ok with me to make it more consistent though. |
|
@stevespringett @bhess is this ready for review? |
|
@jkowalleck I need to make a few minor changes this weekend that were a result of this weeks FWG meeting and will resolve the conflicts as well. |
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us> # Conflicts: # docgen/json/templates/cyclonedx/content.html # schema/bom-1.6.proto # schema/bom-1.6.schema.json # schema/bom-1.6.xsd # tools/src/test/js/json-schema-lint-tests.js
…ting. Minor changes to JSON schema. Signed-off-by: Steve Springett <steve@springett.us>
stevespringett
approved these changes
Jan 23, 2024
prabhu
reviewed
Jan 23, 2024
bhess
reviewed
Jan 23, 2024
Signed-off-by: Steve Springett <steve@springett.us>
…k/frames. Signed-off-by: Steve Springett <steve@springett.us>
jkowalleck
commented
Jan 25, 2024
stevespringett
added
promote to tc54
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
changes as discussed here: #347 (comment)
Merged
stevespringett
added a commit
that referenced
this pull request
Apr 9, 2024
## Added * Core enhancement: Attestation ([#192](#192) via [#348](#348)) * Core enhancement: Cryptography Bill of Materials — CBOM ([#171](#171), [#291](#291) via [#347](#347)) * Feature to express the URL to source distribution ([#98](#98) via [#269](#269)) * Feature to express the URL to RFC 9116 compliant documents ([#380](#380) via [#381](#381)) * Feature to express tags/keywords for services and components (via [#383](#383)) * Feature to express details for component authors ([#335](#335) via [#379](#379)) * Feature to express details for component and BOM manufacturer ([#346](#346) via [#379](#379)) * Feature to express communicate concluded values from observed evidences ([#411](#411) via [#412](#412)) * Features to express license acknowledgement ([#407](#407) via [#408](#408)) * Feature to express environmental consideration information for model cards ([#396](#396) via [#395](#395)) * Feature to express the address of organizational entities (via [#395](#395)) * Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs ([#413](#413) via [#414](#414)) ## Fixed * Allow multiple evidence identities by XML/JSON schema ([#272](#272) via [#359](#359)) This was already correct via ProtoBuff schema. * Prevent empty `license` entities by XML schema ([#288](#288) via [#292](#292)) This was already correct in JSON/ProtoBuff schema. * Prevent empty or malformed `property` entities by JSON schema ([#371](#371) via [#375](#375)) This was already correct in XML/ProtoBuff schema. * Allow multiple `licenses` in `Metadata` by ProtoBuff schema ([#264](#264) via [#401](#401)) This was already correct in XML/JSON schema. ## Changed * Allow arbitrary `$schema` values by JSON schema ([#402](#402) via [#403](#403)) * Increased max length of `versionRange` (via [`3e01ce6`](3e01ce6)) * Harmonized length of `version` (via [#417](#417)) ## Deprecated * Data model "Component"'s field `author` was deprecated. (via [#379](#379)) Use field `authors` or field `manufacturer` instead. * Data model "Metadata"'s field `manufacture` was deprecated. ([#346](#346) via [#379](#379)) Use "Metadata"'s field `component`'s field `manufacturer` instead. - for XML: `/bom/metadata/component/manufacturer` - for JSON: `$.metadata.component.manufacturer` - for ProtoBuf: `Bom:metadata.component.manufacturer` ## Documentation * Centralize version and version-range (via [#322](#322)) * Streamlined SPDX expression related descriptions (via [#327](#327)) * Enhanced descriptions of `bom-ref`/`refType` ([#336](#336) via [#344](#344)) * Enhanced readability of enum documentation in JSON schema ([#361](#361) via [#362](#362)) * Fixed typo "compliment" -> "complement" (via [#369](#369)) * Added documentation for enum "ComponentScope"'s values in JSON schema ([#293](#293) via [`d92e58e`](d92e58e)) Texts were a taken from the existing ones in XML/ProtoBuff schema. * Added documentation for enum "TaskType"'s values ([#245](#245) via [#377](#377)) * Improve documentation for data model "Metadata"'s field `licenses` ([#273](#273) via [#378](#378)) * Added documentation for enum "MachineLearningApproachType"'s values ([#351](#351) via [#416](#416)) * Rephrased some texts here and there. ## Test data * Added test data for newly added use cases * Added quality assurance for our ProtoBuf schemas ([#384](#384) via [#385](#385))
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
specific goals:
task list for spec enhacement